chappy84 · October 8, 2022 10:01
diff --git a/xbrowsersync_api_centos.sh b/xbrowsersync_api_centos.sh
 #!/bin/sh

 ####################################################################################################
 #
 # Setup xBrowserSync API on CentOS
 #
 # Copyright (c) 2020, Tom Chapman (https://tom-chapman.uk)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification, are
 # permitted provided that the following conditions are met:
 #
 # 1. Redistributions of source code must retain the above copyright notice, this list of conditions
 # and the following disclaimer.
 #
 # 2. Redistributions in binary form must reproduce the above copyright notice, this list of
 # conditions and the following disclaimer in the documentation and/or other materials provided with
 # the distribution.
 #
 # 3. Neither the name of the copyright holder nor the names of its contributors may be used to
 # endorse or promote products derived from this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
 # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
 # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
 # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
 # WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #
 ####################################################################################################

 CURR_DIR=`dirname $(readlink -f $0)`

 # Set Required Software Versions
 NODE_MAJOR_VER='16'
 MONGODB_VER='6.0'
 EL_RELEASE='8'
 XBROWSERSYNC_VER='1.1.13'

 # SSL cert details to use with the XBS Node service on HTTPS
 SSL_CERT_FILE='example.crt'
 SSL_KEY_FILE='example.key'

 # Hostname the XBS api will be served from
 HOSTNAME='api.examplexbs.com'

 # Set Mongo credentials for XBS
 XBROWSERSYNC_DB_USER='xbrowsersyncdb'
 XBROWSERSYNC_DB_PWD=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`

 echo "DB username: $XBROWSERSYNC_DB_USER";
 echo "DB password: $XBROWSERSYNC_DB_PWD";

 set -e -x

 # Create required system accounts
 groupadd -r xbrowsersync
 useradd -r -g xbrowsersync xbrowsersync

 # Setup Firewall correctly
 ex /etc/firewalld/firewalld.conf -s -c ':%s/AllowZoneDrifting=yes/AllowZoneDrifting=no/' -c ':wq!'
 systemctl restart firewalld
 firewall-cmd --add-service=https --permanent
 firewall-cmd --reload

 # Need to be able to extract & configure the below software
 dnf -y install tar xz gzip jq

 # Download all of the software we need
 cd /usr/local/src/
 curl -o node_setup_$NODE_MAJOR_VER.x.sh https://rpm.nodesource.com/setup_$NODE_MAJOR_VER.x
 curl --location-trusted -o api-$XBROWSERSYNC_VER.tar.gz https://github.com/xbrowsersync/api/archive/v$XBROWSERSYNC_VER.tar.gz

 # Install node
 chmod u+x node_setup_$NODE_MAJOR_VER.x.sh
 ./node_setup_$NODE_MAJOR_VER.x.sh
 # failovermethod is actually invalid config as far as dnf is concerned, but nodesource
 # haven't fixed this yet: https://github.com/nodesource/distributions/issues/1311
 ex /etc/yum.repos.d/nodesource-el$EL_RELEASE.repo -s -c ':%s/failovermethod=priority/#failovermethod=priority/g' -c ':wq!'
 dnf install -y nodejs
 npm install -g npm@latest

 # Install Mongo
 # .repo file contents slightly modified from here: https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-red-hat/
 echo "[mongodb-org-$MONGODB_VER]
 name=MongoDB $MONGODB_VER Repository
 baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/$MONGODB_VER/\$basearch/
 gpgcheck=1
 enabled=1
 gpgkey=https://www.mongodb.org/static/pgp/server-$MONGODB_VER.asc" > /etc/yum.repos.d/mongo-org-$MONGODB_VER.repo
 dnf -y install mongodb-org-server mongodb-mongosh mongodb-database-tools
 systemctl daemon-reload
 systemctl enable --now mongod
 systemctl start mongod

 # mongosh complains about this being too low on first launch, recommends this value
 # here: https://www.mongodb.com/docs/manual/administration/production-checklist-operations/
 sysctl -w vm.max_map_count=128000
 # mongosh complains this is set to 'always', and should be set to 'never'
 echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled
 grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) transparent_hugepage=never"
 systemctl restart mongod

 # Configure the DB for use with XBS
 mongosh <<< "disableTelemetry();
 db.disableFreeMonitoring();
 use admin;
 db.createUser({ user: \"$XBROWSERSYNC_DB_USER\", pwd: \"$XBROWSERSYNC_DB_PWD\", roles: [ { role: \"readWrite\", db: \"xbrowsersync\" }, { role: \"readWrite\", db: \"xbrowsersynctest\" } ] });
 use xbrowsersync;
 db.newsynclogs.createIndex( { \"expiresAt\": 1 }, { expireAfterSeconds: 0 } );
 db.newsynclogs.createIndex({ \"ipAddress\": 1 });"

 # Enable security on MongoDB after we've created the users and DB
 ex /etc/mongod.conf -s -c ':%s/#security:/security: \r  authorization: enabled/' -c ':wq!'
 systemctl restart mongod

 # Setup xBrowserSync
 tar xfz api-$XBROWSERSYNC_VER.tar.gz
 mv api-$XBROWSERSYNC_VER /srv/xBrowserSync
 cd /srv/xBrowserSync
 npm install --only=production

 # Configure XBS, altering certain default values
 cd config
 jq -M ".server.host = \"$HOSTNAME\" |
 .server.https.certPath = \"/srv/certs/$SSL_CERT_FILE\" |
 .server.https.enabled = true |
 .server.https.keyPath = \"/srv/certs/$SSL_KEY_FILE\" |
 .server.port = 443" settings.default.json > settings.json
 cd ../

 # Put the certs in place
 mkdir /srv/certs/
 cp $CURR_DIR/$SSL_CERT_FILE /srv/certs/
 cp $CURR_DIR/$SSL_KEY_FILE /srv/certs/

 # Setup the log directory
 mkdir /var/log/xBrowserSync
 chown -R xbrowsersync:xbrowsersync /var/log/xBrowserSync/

 # Configure to work with systemd startup
 echo '[Unit]
 Description=xBrowserSync service
 After=syslog.target network.target remote-fs.target nss-lookup.target

 [Service]
 User=xbrowsersync
 Group=xbrowsersync
 RuntimeDirectory=xBrowserSync
 RuntimeDirectoryMode=0755
 LogsDirectory=xBrowserSync
 LogsDirectoryMode=0755

 Type=exec
 PIDFile=/run/xBrowserSync/xBrowserSync.pid
 ExecStart=/usr/bin/node /srv/xBrowserSync/dist/api.js
 ExecReload=/bin/kill -s HUP $MAINPID
 ExecStop=/bin/kill -s QUIT $MAINPID
 PrivateTmp=true
 ProtectSystem=strict
 ReadWritePaths=/run/xBrowserSync /var/log/xBrowserSync
 ProtectHome=true
 NoNewPrivileges=true
 PrivateDevices=true
 Environment="NODE_ENV=production"

 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectControlGroups=true
 RestrictRealtime=true
 RestrictNamespaces=true

 # This allows xbrowsersync user to bind to ports below 1024
 # which is normally restricted to the root user under systemd
 AmbientCapabilities=CAP_NET_BIND_SERVICE

 [Install]
 WantedBy=multi-user.target' > /usr/lib/systemd/system/xBrowserSync.service

 # Set the required credential env vars for systemd started XBS to connect to Mongo
 mkdir -p /etc/systemd/system/xBrowserSync.service.d/
 echo "[Service]
 Environment=\"XBROWSERSYNC_DB_USER=$XBROWSERSYNC_DB_USER\"
 Environment=\"XBROWSERSYNC_DB_PWD=$XBROWSERSYNC_DB_PWD\"
 " > /etc/systemd/system/xBrowserSync.service.d/override.conf

 # Ensure XBS is enabled correctly with systemd
 systemctl daemon-reload
 systemctl enable --now xBrowserSync
 systemctl start xBrowserSync
	#!/bin/sh

	####################################################################################################
	#
	# Setup xBrowserSync API on CentOS
	#
	# Copyright (c) 2020, Tom Chapman (https://tom-chapman.uk)
	# All rights reserved.
	#
	# Redistribution and use in source and binary forms, with or without modification, are
	# permitted provided that the following conditions are met:
	#
	# 1. Redistributions of source code must retain the above copyright notice, this list of conditions
	# and the following disclaimer.
	#
	# 2. Redistributions in binary form must reproduce the above copyright notice, this list of
	# conditions and the following disclaimer in the documentation and/or other materials provided with
	# the distribution.
	#
	# 3. Neither the name of the copyright holder nor the names of its contributors may be used to
	# endorse or promote products derived from this software without specific prior written permission.
	#
	# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
	# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
	# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
	# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
	# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
	# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	#
	####################################################################################################

	CURR_DIR=`dirname $(readlink -f $0)`

	# Set Required Software Versions
	NODE_MAJOR_VER='16'
	MONGODB_VER='6.0'
	EL_RELEASE='8'
	XBROWSERSYNC_VER='1.1.13'

	# SSL cert details to use with the XBS Node service on HTTPS
	SSL_CERT_FILE='example.crt'
	SSL_KEY_FILE='example.key'

	# Hostname the XBS api will be served from
	HOSTNAME='api.examplexbs.com'

	# Set Mongo credentials for XBS
	XBROWSERSYNC_DB_USER='xbrowsersyncdb'
	XBROWSERSYNC_DB_PWD=`cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 32 \| head -n 1`

	echo "DB username: $XBROWSERSYNC_DB_USER";
	echo "DB password: $XBROWSERSYNC_DB_PWD";

	set -e -x

	# Create required system accounts
	groupadd -r xbrowsersync
	useradd -r -g xbrowsersync xbrowsersync

	# Setup Firewall correctly
	ex /etc/firewalld/firewalld.conf -s -c ':%s/AllowZoneDrifting=yes/AllowZoneDrifting=no/' -c ':wq!'
	systemctl restart firewalld
	firewall-cmd --add-service=https --permanent
	firewall-cmd --reload

	# Need to be able to extract & configure the below software
	dnf -y install tar xz gzip jq

	# Download all of the software we need
	cd /usr/local/src/
	curl -o node_setup_$NODE_MAJOR_VER.x.sh https://rpm.nodesource.com/setup_$NODE_MAJOR_VER.x
	curl --location-trusted -o api-$XBROWSERSYNC_VER.tar.gz https://github.com/xbrowsersync/api/archive/v$XBROWSERSYNC_VER.tar.gz

	# Install node
	chmod u+x node_setup_$NODE_MAJOR_VER.x.sh
	./node_setup_$NODE_MAJOR_VER.x.sh
	# failovermethod is actually invalid config as far as dnf is concerned, but nodesource
	# haven't fixed this yet: https://github.com/nodesource/distributions/issues/1311
	ex /etc/yum.repos.d/nodesource-el$EL_RELEASE.repo -s -c ':%s/failovermethod=priority/#failovermethod=priority/g' -c ':wq!'
	dnf install -y nodejs
	npm install -g npm@latest

	# Install Mongo
	# .repo file contents slightly modified from here: https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-red-hat/
	echo "[mongodb-org-$MONGODB_VER]
	name=MongoDB $MONGODB_VER Repository
	baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/$MONGODB_VER/\$basearch/
	gpgcheck=1
	enabled=1
	gpgkey=https://www.mongodb.org/static/pgp/server-$MONGODB_VER.asc" > /etc/yum.repos.d/mongo-org-$MONGODB_VER.repo
	dnf -y install mongodb-org-server mongodb-mongosh mongodb-database-tools
	systemctl daemon-reload
	systemctl enable --now mongod
	systemctl start mongod

	# mongosh complains about this being too low on first launch, recommends this value
	# here: https://www.mongodb.com/docs/manual/administration/production-checklist-operations/
	sysctl -w vm.max_map_count=128000
	# mongosh complains this is set to 'always', and should be set to 'never'
	echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled
	grub2-editenv - set "$(grub2-editenv - list \| grep kernelopts) transparent_hugepage=never"
	systemctl restart mongod

	# Configure the DB for use with XBS
	mongosh <<< "disableTelemetry();
	db.disableFreeMonitoring();
	use admin;
	db.createUser({ user: \"$XBROWSERSYNC_DB_USER\", pwd: \"$XBROWSERSYNC_DB_PWD\", roles: [ { role: \"readWrite\", db: \"xbrowsersync\" }, { role: \"readWrite\", db: \"xbrowsersynctest\" } ] });
	use xbrowsersync;
	db.newsynclogs.createIndex( { \"expiresAt\": 1 }, { expireAfterSeconds: 0 } );
	db.newsynclogs.createIndex({ \"ipAddress\": 1 });"

	# Enable security on MongoDB after we've created the users and DB
	ex /etc/mongod.conf -s -c ':%s/#security:/security: \r authorization: enabled/' -c ':wq!'
	systemctl restart mongod

	# Setup xBrowserSync
	tar xfz api-$XBROWSERSYNC_VER.tar.gz
	mv api-$XBROWSERSYNC_VER /srv/xBrowserSync
	cd /srv/xBrowserSync
	npm install --only=production

	# Configure XBS, altering certain default values
	cd config
	jq -M ".server.host = \"$HOSTNAME\" \|
	.server.https.certPath = \"/srv/certs/$SSL_CERT_FILE\" \|
	.server.https.enabled = true \|
	.server.https.keyPath = \"/srv/certs/$SSL_KEY_FILE\" \|
	.server.port = 443" settings.default.json > settings.json
	cd ../

	# Put the certs in place
	mkdir /srv/certs/
	cp $CURR_DIR/$SSL_CERT_FILE /srv/certs/
	cp $CURR_DIR/$SSL_KEY_FILE /srv/certs/

	# Setup the log directory
	mkdir /var/log/xBrowserSync
	chown -R xbrowsersync:xbrowsersync /var/log/xBrowserSync/

	# Configure to work with systemd startup
	echo '[Unit]
	Description=xBrowserSync service
	After=syslog.target network.target remote-fs.target nss-lookup.target

	[Service]
	User=xbrowsersync
	Group=xbrowsersync
	RuntimeDirectory=xBrowserSync
	RuntimeDirectoryMode=0755
	LogsDirectory=xBrowserSync
	LogsDirectoryMode=0755

	Type=exec
	PIDFile=/run/xBrowserSync/xBrowserSync.pid
	ExecStart=/usr/bin/node /srv/xBrowserSync/dist/api.js
	ExecReload=/bin/kill -s HUP $MAINPID
	ExecStop=/bin/kill -s QUIT $MAINPID
	PrivateTmp=true
	ProtectSystem=strict
	ReadWritePaths=/run/xBrowserSync /var/log/xBrowserSync
	ProtectHome=true
	NoNewPrivileges=true
	PrivateDevices=true
	Environment="NODE_ENV=production"

	ProtectKernelModules=true
	ProtectKernelTunables=true
	ProtectControlGroups=true
	RestrictRealtime=true
	RestrictNamespaces=true

	# This allows xbrowsersync user to bind to ports below 1024
	# which is normally restricted to the root user under systemd
	AmbientCapabilities=CAP_NET_BIND_SERVICE

	[Install]
	WantedBy=multi-user.target' > /usr/lib/systemd/system/xBrowserSync.service

	# Set the required credential env vars for systemd started XBS to connect to Mongo
	mkdir -p /etc/systemd/system/xBrowserSync.service.d/
	echo "[Service]
	Environment=\"XBROWSERSYNC_DB_USER=$XBROWSERSYNC_DB_USER\"
	Environment=\"XBROWSERSYNC_DB_PWD=$XBROWSERSYNC_DB_PWD\"
	" > /etc/systemd/system/xBrowserSync.service.d/override.conf

	# Ensure XBS is enabled correctly with systemd
	systemctl daemon-reload
	systemctl enable --now xBrowserSync
	systemctl start xBrowserSync